Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790 RFID Security and Privacy.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790 RFID Security and Privacy."— Presentation transcript:

1 slide 1 Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790 RFID Security and Privacy

2 slide 2 Roadmap uBackground uRFID Risks uPrivacy: Simple Solutions uPrivacy: More Involved Solutions uAuthentication: Some Solutions uConclusion 12345

3 slide 3 What is RFID? uRadio-Frequency Identification Tag Chip Antenna uSticker containing microchip and antenna uGains power from wireless signal received from tag reader uTag-reader communication with range of up to half a meter uTag returns its unique number and static data 12345

4 slide 4 How Does RFID System Work? Tags (transponders) Attached to objects, “call out” identifying data on a special radio frequency 02.3DFEX4.78AF51 EasyToll card #816 Reader (transceiver) Reads data off the tags without direct contact Radio signal (contactless) Range: from 3-5 inches to 3 meters Database Matches tag IDs to physical objects uManagement system uCommunication protocol uComputer Networks uTags consists of antenna and a microchip uReaders consists of a transmitter, receiver, 1+ antennas 12345

5 slide 5 RFID Advantages BarcodeRFID Line-of-sight reading Reader must be looking at the barcode Specifies object type E.g., “I am a pack of Juicy Fruit” Reading by radio contact Reader can be anywhere within range Specifies unique object id E.g., “I am a pack of Juicy Fruit #86715-A” Fast, automated scanning (object doesn’t have to leave pocket, shelf or container) Can look up this object in the database (provides pointer) 12345

6 slide 6 RFID Tag Power Sources uPassive inactive until the reader’s interrogation signal “wakes” them up Cheap, but short range only uSemi-passive On-board battery, but cannot initiate communication More expensive, longer range uActive On-board battery, can initiate communication 12345

7 slide 7 RFID Types Inductive Coupling Backscatter (radiative) Coupling 12345

8 slide 8 Closer look 12345

9 slide 9 RFID examples uPervasive Devices Low memory, few gates Low power, no clock, little state Low computational power uYou may own a few. uBillions on the way. 12345

10 slide 10 Current Applications uPublic Transport and Ticketing uAccess Control uLogistics uAnimal identification uAnti-theft system uReal time measurements in sports uInventory Control in supermarkets uElectronic payments uIndustry automation uMedical uBanknotes, casino chips 12345

11 slide 11 Futuristic Applications u“Smart” appliances Refrigerators that automatically create shopping lists Closets that tell you what clothes you have available, and search the Web for advice on current styles, etc. Ovens that know how to cook pre-packaged food u“Smart” products Clothing, appliances, CDs, etc. tagged for store returns u“Smart” paper Airline tickets that indicate your location in the airport Library books Business cards uRecycling Plastics that sort themselves 12345

12 slide 12 RFID Risks 12345 Mr. Jones pays with a credit card; his RFID tags now linked to his identity Mr. Jones attends a political rally; law enforcement scans his RFID tags Mr. Jones wins Turing Award; physically tracked by paparazzi via RFID

13 slide 13 Why RFID Risks Arise Three technical aspects of today’s RFID tags create potential problems: uThey are promiscuous they talk to any compatible reader. uThey are remotely readable: they can be read at a distance through materials like cardboard, cloth, and plastic. uThey are stealthy not only are the tags inconspicuous, you don't know when they are transmitting information or to whom. In short, the personal information 12345

14 slide 14 Risks: Privacy uPersonal privacy Clandestine inventory and tracking –Unsanctioned readers Customer profiling –Tracking personal activities (e.g., purchase habits, travel) Big brother –Illicit or inappropriate use of personal data uData cross contamination Inventory tags plus personal info uCorporate espionage Track your competitor’s inventory uMilitary espionage Harvesting RFID communication to make inferences 12345

15 slide 15 Risks: Eavesdropping uRead ranges nominal read range –max distance at which a normally operating reader can reliably scan tags rogue scanning range –rogue reader can emit stronger signal and read tags from a larger distance than the nominal range tag-to-reader eavesdropping range –read-range limitations result from the requirement that the reader powers the tag –however, one reader can power the tag, while another one can monitor its emission (eavesdrop) reader-to-tag eavesdropping range –readers transmit at much higher power than tags –readers can be eavesdropped form much further –readers may reveal tag specific information 12345

16 slide 16 Risks: Counterfeits uComes down to authentication uHow can be accomplished Replaying (RF “tape-recorder”) Tag cloning Back-engineering uA few examples from real life (easy to break) Speed passes Ignition keys Physical coercion and attack –In 2005, a man in Malaysia had his fingertip cut off by thieves stealing his biometric-enabled Mercedes –What would happen if the VeriChip were used to access ATM machines and secure facilities? Perhaps it is better then if tags can be cloned and are not used for authentication—only for identification 12345

17 slide 17 RFID capabilities uLittle power Receives power from reader Range a few meters uLittle memory Static 64-to-128-bit identifier Hundreds of bits soon uLittle computational power A few thousand gates No cryptographic functions available Static keys for read/write permission uIn terms of computational power can be divided into –BASIC tags –SYMMETRIC KEY tags 12345

18 slide 18 Privacy protection approaches ustandard tags jamming “kill” command “sleep” command Renaming Blocking ucrypto enabled tags synchronization approach hash chain based approach tree-approach 12345

19 slide 19 Easiest solution uKeep it close to your body Liquids are not penetrable by microwave frequencies uFaraday cage Container made of foil or metal mesh, impenetrable by radio signals of certain frequencies Shoplifters are already known to use foil-lined bags Maybe works for a wallet, but huge hassle in general uActive jamming Disables all RFID, including legitimate applications uAll kinds of the above protections can be purchased now days protective sleevers for passports, wallets, ids, etc. 12345

20 slide 20 Dead tags tell no tales u I dea: permanently disable tags with a special “kill” command part of the EPC specification uAdvantages: Simple and effective uDisadvantages: eliminates all post-purchase benefits of RFID for the consumer and for society no return of items without receipt no smart house-hold appliances cannot be applied in some applications –library, e-passports, banknotes uSimilar approaches: put RFID tags into price tags or packaging which are removed and discarded 12345

21 slide 21 Don’t kill the tag, put it to sleep uIdea: instead of killing the tag put it in sleep mode tag can be re-activated if needed uAdvantages: Simple effective uDisadvantages: difficult to manage in practice tag re-activation must be password protected how the consumers will manage hundreds of passwords for their tags? passwords can be printed on tags, but then they need to be scanned optically or typed in by the consumer 12345

22 slide 22 Partial destruction uRenaming In simplest case renaming to gibberish No intrinsic meaning Still can be tracked –Backscatter from antennas –Hypothesize manufacturer type may be learnable –Do tags possess uniquely detectable RF fingerprints? (Device signatures a staple of electronic warfare) uRelabelings Retain only product ID for later use Destroy unique ID at the time of purchase uSplitting identifiers across two tags Peel off one at time of purchase 12345

23 slide 23 Distance Measuring uSignal-to-noise ratio of the reader signal in an RFID system provides a rough metric of the distance between a reader and a tag. uWith some additional, low-cost circuitry a tag might achieve rough measurement of the distance of an interrogating reader. uDistance can serve as a metric for trust. Release general information (“I am attached to a bottle of water”) when scanned at a distance Release more specific information (ID), only at close range. 12345

24 slide 24 Proxying uProxying Consumers carry their own privacy-enforcing devices (Higher-powered intermediaries like mobile phones) Watch dog –Observer observing the observer: monitor if someone scans you –Selectively jams tag replies as needed RFID guardian –Talk to the guardian first –Communication is released through a fortified intermediate 12345

25 slide 25 Proxying uProblems Change of ownership: how to release control Impersonating the guardian itself Cannot suppress tag replies entirely, only jam Cannot suppress reader commands Please show reader certificate and privileges 12345

26 slide 26 Renaming uIdea: avoid using real Ids, change Identifiers across the reads get rid of fixed names (identifiers). Pseudonyms stored on tag (limited storage, i.e. 10 or so), tag cycles through pseudonyms use random pseudonyms and change them frequently uRequirements: only authorized readers should be able to determine the real identifier behind a pseudonym standard tags cannot perform computations -> next pseudonym to be used must be set by an authorized reader uA possible implementation pseudonym = {R|ID} K –R is a random number –K is a key shared by all authorized readers authorized readers can decrypt pseudonyms and determine real ID authorized readers can generate new pseudonyms for unauthorized readers, pseudonyms look like random bit strings uPotential problems tracking is still possible between two renaming operations if someone can eavesdrop during the renaming operation, then she may be able to link the new pseudonym to the old one no reader authentication -> rogue reader can overwrite pseudonyms in tags (tags will be erroneously identified by authorized readers) 12345

27 slide 27 Example of RNG 12345 V Random Bits No Connect The voltage signal is amplified, disturbed, stretched, and sampled, resulting in random bits.

28 slide 28 Renaming (re-encryption) uA public key based implementation: El Gamal scheme: –Inputs are ciphertexts –Outputs are a re-encryption of the inputs. –Anyone can encrypt without the public key E –Those who know the secret key D can also decrypt messages encrypted with different keys are indistinguishable 12345

29 slide 29 Renaming (re-encryption) uEl Gamal Encryption Parameters Public parameters: –q is a prime –p = 2 k q+1is a prime –ggenerator of G p, i.e. efficient description of a cyclic group of order q with generator g (I know only one generator which is relatively prime)relatively prime Secret key of RFID tag: x (where 0 < x < q) Public key of RFID tag : y = g x mod p uEncryption for message (plaintext) m 1.Pick a number k randomly from [0…q-1] 2.Compute a = y k.m mod p and b = g k mod p 3.Output (a,b) 12345

30 slide 30 Renaming (re-encryption) uDecryption Compute m as a / b x (= y k. m/ (g k ) x = g xk. m/ g kx = m) uOne can re-encrypt a ciphertext (a, b) without decryption:Input: a ciphertext (a,b) and public key y 1.Pick a number  randomly from [0…q-1] 2.Compute a’ = y . a mod p and b’ = g . b mod p 3.Output (a’, b’) uSame decryption technique Compute m a’ / b’ x (= y k. y . m/ (g k. g  ) x = g x ( k+  ). m/ g x ( k+  ) = m) uProperties: new tag pseudonyms can be computed by readers that know the public key real tag ID can be computed only by readers that know the private key Semantic security: Cannot distinguish between C = E PK,r [Alice] and C’ = E PK,r’ [Bob] –An attacker who intercepts C and C’ cannot tell if they come from the same chip, that is the attacker cannot identify or track Alice 12345

31 slide 31 Blocking uWhen the reader sends a signal, more than one RFID tag may respond: this is a collision typical commercial application, such as scanning a bag of groceries, potentially hundreds of tags might be within range of the reader. uReader must engage in a special singulation protocol to talk to each tag separately Singulation is used by an RFID reader only when necessary to identify a specific tag (and its ID) from a number of tags in the field uTree-walking is a common singulation method Used by 915 Mhz tags, the most common type in the U.S. Slotted aloha is used for LF tags 12345

32 slide 32 Anti-collision u"Tree Walking" uRecursive depth-first search uRequirement: Reader is able to detect bit position of a collision uExample: 1 Reader, 3 Transponder, 3-bit ID uSynchronized by reader uExample: 1 Reader, 5 Tags, 8-bit ID 12345

33 slide 33 Tree Walking 000001010011100101110111 Every tag has a k-bit identifier prefix=0 prefix=00prefix=01 prefix=10prefix=11 prefix=1 Reader broadcasts current prefix Each tag with this prefix responds with its next bit If responses don’t collide, reader adds 1 bit to current prefix, otherwise tries both possibilities This takes O(k  number of tags) 12345

34 slide 34 Tree-Walking uTree-walking” protocol for identifying tags recursively asks question: “What is your next bit?” Something along the lines of: “Will all tags with 1 as their first digit raise their hand”. “Will all tags with 1 as their first digit, and 0 as their second....” uBlocker tag always says both ‘0’ and ‘1’! Makes it seem like all possible tags are present by making an RFID tag misbehave, and answers yes to every question. 12345

35 slide 35 Blocker Tag uA form of jamming: broadcast both “0” and “1” in response to any request from an RFID reader Guarantees collision no matter what tags are present To talk to a tag, reader must traverse every tree path –With 128-bit IDs, reader must try 2 128 values – infeasible! uTo prevent illegitimate blocking, make blocker tag selective (block only certain ID ranges) uBlocker tag can be selective: 12345

36 slide 36 Blocker Tag uprivacy zone tree is divided into two zones privacy zone: all IDs starting with 1 upon purchase of a product, its tag is transferred into the privacy zone by setting the leading bit uthe blocker tag when the prefix in the reader’s query starts with 1, it simulates a collision when the blocker tag is not present, everything works normally uAlternative: polite blocking (notify the reader)

37 slide 37 Hash Locks uLocked tag transmit only metaID uSimilar to the proximity approach uUnlocked tag can do all operations uLocking mechanism: Reader R selects a nonce and computes metaID = hash(key) R writes metaID to tag T T enters locked state R stores the pair (metaID, key). uUnlocking Reader R queries tag T for its metaID R looks up (metaID, key) R sends key to T If (hash(key) == metaID), T unlocks itself 12345

38 slide 38 Hash locks uCheap to implement on tags: A hash function and storage for metaID. uSecurity based on hardness of hash. uHash output has nice random properties. uLow key look-up overhead. uTags respond predictably; allows tracking. Motivates randomization. uRequires reader to know all keys 12345

39 slide 39 Randomized Hash Locks ReaderRFID tag Stores its own ID k Goal: authenticate reader to the RFID tag “Who are you?” R, hash(R,ID k ) “You must be ID k ” Compute hash(R,ID i ) for every known ID i and compare Stores all IDs: ID 1, …,ID n Generate random R 12345

40 slide 40 Randomized Hash Locks uTag must store hash implementation and pseudo- random number generator Low-cost RNGs exist; can use physical randomness uSecure against tracking because tag response is different each time uReader must perform brute-force ID search Effectively, reader must stage a mini-dictionary attack to unlock the tag uAlternative: better searching Tree approach Synchronization approach 12345

41 slide 41 Avoiding brute force synch uoperation of tag: state is s i when queried, the tag responds with the current pseudonym p i =G(s i ) and computes its new state s i +1 = H(s i ) uoperation of the reader: reader must approximately know the current counter value of each tag for each tag, it maintains a table with the most likely current counters and corresponding pseudonyms uOperation of the reader when a tag responds with a pseudonym p, it finds p in any of its tables, identifies the tag, and updates the table corresponding to the tag one-wayness of the hash ensures that current counter value cannot be computed from observed pseudonym u c is a counter, H and G are one-way hash functions u reader maintains synchronized state with tags 12345

42 slide 42 Avoiding brute force (tree of secrets) 12345 uTag == leaf of the tree. uEach tag receives the keys on path from leaf to the root. uTag ij generates pseudonyms as (Key 1 (r), Key 2 (r), …, Fk ij (r)). uReader can decode pseudonym using a depth-first search. uIn the worst case, the reader searches through db keys, where d is the depth of the tree, and b is the branching factor compare this to b d, which is the total number of tags

43 slide 43 Authentication Workarounds uNo explicit counterfeiting measures whatsoever uPossible solutions: Repurpose the kill function for limited counterfeit Yoking –cryptographic proof that two tags have been scanned simultaneously and evidence (although not proof) that the tags were scanned in physical proximity to one another. –Usable only in certain circumstances (pharmacy, aircraft safety) Physical markers –Similar to explosive markers –Special dyes and packaging 12345

44 slide 44 HB Protocol uCreated by Nicholas Hopper and Manuel Blum as a tool for secure authentication and identification of unassisted humans to computers. uJuels and Weis realized that this protocol was actually a natural protocol for the authentication of RFID tags to readers. uThe security of the HB Protocol is based on the underlining hardness of the Learning Parity with Noise (LPN) problem. 12345

45 slide 45 HB Protocol Definitions uThe secret x is a k length binary string (tag ID). The tag needs to prove to the reader that it knows one of the S's on the reader's list of acceptable secrets. The tag only has one secret, but the reader generally has many. uA query q is also a k length binary string. Produced by the reader. One query is produced for each iteration of the protocol uEpsilon is a probability, ranging from 0 to Ѕ that the response calculated by the tag will be flipped if the correct response was 1, the tag will send back 0, and vice versa. uNu equals 1 with probability epsilon. uDelta is an error factor, ranges from 0 to Ѕ defines how close the tag's actual flipping of responses must be to epsilon in order to be accepted. 12345

46 slide 46 Crypto RFID: authentication (HB Protocol) ReaderRFID tag Goal: authenticate RFID tag to the reader k-bit random value a (a  x)  v Response correct if it is equal to (a  x) Generate random v: 1 with prob. , else 0 Knows secret x; parameter  Knows secret x; parameter   chance that response is incorrect repeat r times RFID tag is authenticated if fewer than  r responses are incorrect 12345

47 slide 47 Crypto RFID: authentication (HB+ Protocol) ReaderRFID tag Goal: authenticate RFID tag to the reader k-bit random value a (a  x)  (b  y)  v Generate random v: 1 with prob. , else 0 Knows secrets x,y; parameter  Knows secrets x,y; parameter  repeat r times RFID tag is authenticated if fewer than  r responses are incorrect Response correct if it is equal to (a  x)  (b  y) blinding value b 12345

48 slide 48 Wrapping it up uSome basic trends are apparent: Pressure to build a smaller, cheaper tags without cryptography –reverse-engineering a cheap RFID tag unlikely to be hard… Urgent need for cheaper hardware for primitives “Security through obscurity” doesn’t work uSimple static identifiers are the most naïve How about encrypting ID? How about creating new static identifiers, i.e., “meta-ID” How about a law-enforcement access key? –Tag-specific keys require initial release of identity –Universal keys subject to interception uSpecial properties: RFID tags are close and personal giving privacy a special dimension RFID tags change ownership frequently Key management will be a major problem –Think for a moment after this talk about distribution of kill passwords… –Are there good hardware approaches to key distribution, e.g., proximity as measure of trust uSome privacy is clearly better than for naive approaches

49 slide 49 Future Work Authentication algorithms with human protocols New and emerging problems Tag identification with delegation, ownership transfer Efficient cloning-resistant identification algorithms Find New and Improve Existing Algorithms

Download ppt "Slide 1 Author: Ari Juels Presenter: Yuliya Kopylova CSCE 790 RFID Security and Privacy."

Similar presentations

SMUCSE 7349 RFID Security. SMUCSE 7349 Current Applications Logistics –Military supply logistics Gulf War I: Double orders to ensure arrival Gulf War.

SMUCSE 7349 RFID Security. SMUCSE 7349 Current Applications Logistics –Military supply logistics Gulf War I: Double orders to ensure arrival Gulf War.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Fast and Reliable Estimation Schemes in RFID Systems Murali Kodialam and Thyaga Nandagopal Bell Labs, Lucent Technologies.

Fast and Reliable Estimation Schemes in RFID Systems Murali Kodialam and Thyaga Nandagopal Bell Labs, Lucent Technologies.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Slide 1 Vitaly Shmatikov CS 378 RFID Security and Privacy.

Slide 1 Vitaly Shmatikov CS 378 RFID Security and Privacy.
RFID Security and Privacy A Research Survey Shruti Pathak CS 585 Spring ‘09.

RFID Security and Privacy A Research Survey Shruti Pathak CS 585 Spring ‘09.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.

RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Security in RFID Presented By… NetSecurity-Spring07

Security in RFID Presented By… NetSecurity-Spring07
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Slide 1 Vitaly Shmatikov CS 378 RFID Security and Privacy.

Slide 1 Vitaly Shmatikov CS 378 RFID Security and Privacy.

Similar presentations

Ads by Google